b"Audit Report\n\n\n\n\nOIG-12-052\n\nINFORMATION TECHNOLOGY: Financial Management Service\nSuccessfully Demonstrated Recovery Capability for Treasury\nWeb Application Infrastructure\nMay 11, 2012\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c\x0cContents\n\nAudit Report\n\nResults in Brief ..............................................................................................       1\n\nBackground .................................................................................................          2\n\nFindings and Recommendations .......................................................................                  4\n\n        GWA and SAM Did Not Fully Complete Reconstitution Test Objectives .......                                     4\n        Recommendation ..................................................................................             5\n\n        TWAI Documentation Could Be Improved ................................................                         6\n        Recommendation ..................................................................................             7\n\nAppendices\n\n    Appendix     1:       Objectives, Scope, and Methodology ....................................                    9\n    Appendix     2:       Management Response .......................................................               10\n    Appendix     3:       Major Contributors to This Report .........................................               12\n    Appendix     4:       Report Distribution ..............................................................        13\n\nAbbreviations\n\n    DRE                   Disaster Recovery Exercise\n    EROC                  East Rutherford Operations Center\n    FRB                   Federal Reserve Bank\n    FMS                   Financial Management Service\n    GWA                   Government-wide Accounting\n    ITS                   International Treasury Services\n    NIST                  National Institute of Standards and Technology\n    OIG                   Office of Inspector General\n    SAM                   Shared Accounting Module\n    SRDF                  Symmetrix Remote Data Facility\n    TD P                  Treasury Directive Publication\n    TWAI                  Treasury Web Application Infrastructure\n\n\n\n\n                          Financial Management Service Successfully Demonstrated Recovery Capability              Page i\n                          for Treasury Web Application Infrastructure (OIG-12-052)\n\x0c         This Page Intentionally Left Blank\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page ii\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0c                                                                                        Audit\nOIG\nThe Department of the Treasury\n                                                                                        Report\nOffice of Inspector General\n\n                      May 11, 2012\n\n\n                      David A. Lebryk\n                      Commissioner\n                      Financial Management Service\n\n                      The overall objective of this audit was to determine if the Financial\n                      Management Service (FMS) could successfully demonstrate its\n                      disaster recovery capability for the Treasury Web Application\n                      Infrastructure (TWAI).\n\n                      To accomplish our objective, we reviewed planning documentation\n                      for the disaster recovery exercise (DRE), observed the exercise held\n                      at the Federal Reserve Bank (FRB) of Dallas on February 12, 2011,\n                      performed a limited security assessment of the facility while on\n                      site, and reviewed the DRE results report afterward.\n\n                      We performed our fieldwork in the Washington, DC, metropolitan\n                      area and Dallas, Texas, from January 2011 through March 2012.\n                      The audit was conducted in accordance with generally accepted\n                      government auditing standards. Our objectives, scope, and\n                      methodology are described in more detail in appendix 1.\n\nResults in Brief\n                      We found that FMS successfully demonstrated its disaster recovery\n                      capability for TWAI. However, we found that two TWAI\n                      applications, Government-Wide Accounting 1 (GWA) and Shared\n                      Accounting Module 2 (SAM), did not complete 1 of 3 DRE\n                      reconstitution test objectives. Additionally, we found that TWAI\n                      documentation could be improved to include information required\n                      by the National Institute of Standards and Technology (NIST) and\n                      the Department. We are making two recommendations to the\n                      Commissioner of FMS to address these findings.\n\n1\n  GWA uses web technology to simplify the reporting and reconciliation processes of Federal agencies.\n2\n  SAM is a central repository for accounting business rules. These rules are used to validate data it\nreceives from other programs and sends reports to GWA.\n\n                      Financial Management Service Successfully Demonstrated Recovery Capability   Page 1\n                      for Treasury Web Application Infrastructure (OIG-12-052)\n\x0c             In a written response to a draft copy of this report, the\n             Commissioner agreed with our findings and recommendations and\n             provided plans for corrective actions (see appendix 2). With respect\n             to GWA and SAM not completing 1 of 3 DRE reconstitution test\n             objectives, FMS officials told us that the original issue has been\n             fixed with the implementation of the latest software release on\n             April 14, 2012. With regard to TWAI documentation needing\n             improvement to include NIST and the Department\xe2\x80\x99s requirements,\n             FMS management stated that they developed and issued an FMS\n             TWAI Contingency Plan template and Contingency Plan Test\n             Results template in the NIST suggested format in November 2011\n             and October 2011, respectively.\n\n             FMS\xe2\x80\x99s corrective actions, if implemented as described, meet the\n             intent of our recommendations.\n\nBackground\n             FMS provides central payment services to federal program\n             agencies, operates the federal government's collections and\n             deposit systems, and oversees a daily cash flow of $89 billion.\n             FMS maintains multiple financial and information systems to help it\n             process and reconcile monies disbursed and collected by\n             government agencies. One such system is TWAI, a secure\n             application infrastructure with internet and dedicated\n             telecommunications connectivity. FMS has 14 computer\n             applications that rely on TWAI for common infrastructure services.\n             Eight of those applications are hosted in the FRB facility in East\n             Rutherford, New Jersey known as the East Rutherford Operations\n             Center (EROC), and six are hosted in the FRB facility in Dallas,\n             Texas. The eight applications hosted in EROC use Dallas as their\n             alternate processing site in the event of a disaster, and those\n             hosted in Dallas use EROC as their alternate processing site.\n\n             On February 12, 2011, FMS ran a DRE to verify that the eight\n             TWAI applications hosted in EROC could be recovered to perform\n             their functions at the alternate processing site in Dallas, and then\n             return to their primary site.\n\n\n\n\n             Financial Management Service Successfully Demonstrated Recovery Capability   Page 2\n             for Treasury Web Application Infrastructure (OIG-12-052)\n\x0cThe eight TWAI applications tested as part of this DRE were:\n\n\xe2\x80\xa2   Cash Track Web \xe2\x80\x93 This application supports several cash\n    management activities for Treasury.\n\n\xe2\x80\xa2   GWA \xe2\x80\x93 This application uses web technology to simplify the\n    reporting and reconciliation processes of federal agencies.\n\n\xe2\x80\xa2   Intra-Governmental Payment and Collections \xe2\x80\x93 This application\n    provides a standard interagency fund transfer mechanism for\n    federal program agencies.\n\n\xe2\x80\xa2   Internet Payment Platform \xe2\x80\x93 This application provides a\n    centralized electronic invoicing and payment information portal\n    to agencies, payment recipients, and FMS.\n\n\xe2\x80\xa2   International Treasury Services (ITS) \xe2\x80\x93 This application is a\n    portal for government international payments and collections.\n\n\xe2\x80\xa2   SAM \xe2\x80\x93 This is application is a central repository for accounting\n    business rules, used to classify and validate data provided by\n    feeder systems and report to GWA.\n\n\xe2\x80\xa2   Treasury General Account Deposit Reporting Network \xe2\x80\x93 This\n    application allows agency personnel to prepare electronic\n    deposit reports and provides financial institutions and FRBs with\n    the ability to confirm deposits, create adjustments, and submit\n    confirmed deposits and adjustments.\n\n\xe2\x80\xa2   Treasury Tax and Loan Plus \xe2\x80\x93 This application provides financial\n    institutions and federal agencies with the ability to download\n    forms and reports, enter federal tax deposits, make changes to\n    existing financial information, upload files, and receive\n    messages.\n\nEach application team has its own contingency plan to follow in the\nevent of a disaster. After recovering to the alternate site in\nresponse to a disaster, applications reconstitute at their primary\nsite to resume normal operations. Part of each application\xe2\x80\x99s\ncontingency plan test was a reconstitution phase consisting of\nthree objectives: (1) Symmetrix Remote Data Facility (SRDF) to\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 3\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0c                      Primary, (2) Sorry Page Reconstitution, and (3) EROC Primary\n                      Application. The three objectives were not dependent on one\n                      another for their individual success. The goal of the \xe2\x80\x9cSRDF to\n                      Primary\xe2\x80\x9d objective was to replicate data from the contingency site\n                      to the primary site. The \xe2\x80\x9cSorry Page Reconstitution\xe2\x80\x9d objective was\n                      to ensure that users are redirected to a \xe2\x80\x9csorry page\xe2\x80\x9d if the\n                      application is unavailable. Lastly, the objective of \xe2\x80\x9cEROC Primary\n                      Application\xe2\x80\x9d was to verify that the application was working\n                      correctly at EROC, the primary processing site.\n\n                      We reviewed the Information Technology Contingency Plans 3 for\n                      each of the eight applications being tested, as well as the TWAI\n                      Information Technology Contingency Plan for completeness. Each\n                      contingency plan we reviewed contained information on recovering\n                      its particular information system\xe2\x80\x99s operation from EROC to Dallas.\n                      We also reviewed the DRE results report, \xe2\x80\x9cEast Rutherford\n                      Operations Center to Dallas Disaster Recovery Exercise Results\xe2\x80\x9d\n                      (March 2011). The results report contained a narrative description\n                      of the DRE, metrics describing how long each application took to\n                      achieve particular goals, action items, and lessons learned.\n\nFindings and Recommendations\nFinding 1             GWA and SAM Did Not Fully Complete Reconstitution Test\n                      Objectives\n\n                      Although FMS successfully demonstrated its disaster recovery\n                      capability for TWAI, we found that GWA and SAM did not\n                      complete 1 of 3 DRE reconstitution test objectives. Specifically, the\n                      \xe2\x80\x9cSRDF to Primary\xe2\x80\x9d test objective was aborted for GWA and SAM\n                      during the exercise. The goal of the \xe2\x80\x9cSRDF to Primary\xe2\x80\x9d objective\n                      was to replicate data from the alternate processing site in Dallas to\n                      the primary site in EROC. For GWA and SAM, part of this objective\n                      was to transfer a file from GWA to SAM. The file transfer was\n                      unsuccessful. During the DRE, FMS management was unable to\n                      determine the cause of the file transfer error. Therefore, FMS\n                      management made a risk-based decision to abort the test objective\n\n\n3\n  A contingency plan for an information system provides established procedures for the assessment and\nrecovery of a system following a disruption.\n\n                      Financial Management Service Successfully Demonstrated Recovery Capability   Page 4\n                      for Treasury Web Application Infrastructure (OIG-12-052)\n\x0c                    and open a trouble ticket to investigate the error after the DRE\n                    ended.\n\n                    According to the \xe2\x80\x9cTWAI East Rutherford Operations Center to\n                    Dallas Contingency Disaster Recovery Exercise Objectives\xe2\x80\x9d\n                    (January 25, 2011), \xe2\x80\x9cRecovery/Reconstitution\xe2\x80\x9d is the\n                    reconstitution method for both GWA and SAM. This means that for\n                    GWA and SAM to be considered fully successful in meeting their\n                    DRE objectives, each application must complete data replication\n                    from the alternate processing site to the primary site.\n\n                    FMS management ultimately attributed the cause for the file\n                    transfer error to an improperly formatted database command. At\n                    the time of the DRE, the cause of the file transfer error was not\n                    apparent. After the DRE, an FMS investigation found the database\n                    command that was entered at the primary site was missing a pair\n                    of quote marks, 4 resulting in the file transfer error. The only data\n                    validation procedure in place at the time was to have a second\n                    person review the input. When the data was entered, neither the\n                    operator nor the reviewer caught the missing quote marks.\n\n                    As a result, the incorrectly formatted data caused an error with\n                    two applications, GWA and SAM, which prompted FMS\n                    management to abort the objective. If the file transfer had\n                    succeeded, GWA and SAM would have successfully reconstituted\n                    in EROC and met the \xe2\x80\x9cSRDF to Primary\xe2\x80\x9d test objective. In a real\n                    disaster, this error would have delayed reconstitution in the primary\n                    processing site while the problem was investigated and fixed.\n\n                    Recommendation\n\n                    We recommend that the Commissioner of FMS, in a timely manner,\n                    identify a solution to remedy the cause of the file transfer error\n                    identified by FMS\xe2\x80\x99s investigation for GWA and SAM, and test and\n                    implement that solution.\n\n\n\n\n4\n The command entered was \xe2\x80\x9cSET AGNCY_ID=072\xe2\x80\x9d, and it should have been\n\xe2\x80\x9cSET AGNCY_ID=\xe2\x80\x99072\xe2\x80\x99\xe2\x80\x9d.\n\n                    Financial Management Service Successfully Demonstrated Recovery Capability   Page 5\n                    for Treasury Web Application Infrastructure (OIG-12-052)\n\x0c                       Management Response\n\n                       FMS officials stated that the original issue has been fixed with the\n                       implementation of the latest software release on April 14, 2012.\n\n                       OIG Comment\n\n                       Management\xe2\x80\x99s corrective action, if implemented as described,\n                       meets the intent of our recommendation.\n\nFinding 2              TWAI Documentation Could Be Improved\n\n                       Based on our review of the DRE documents, we found that the\n                       TWAI documentation could be improved. Specifically, we found\n                       that the TWAI and ITS contingency plans, and the DRE results\n                       report were missing information required by NIST and the\n                       Department. For example, we found that the TWAI contingency\n                       plan did not have information on potential accessibility problems to\n                       the alternate processing site in the event of an area-wide disruption\n                       or disaster. Additionally, the ITS contingency plan did not include\n                       metrics to measure recovery objectives. Also, the ITS contingency\n                       plan did not make the purpose of the changes clear in its change\n                       log. Finally, the DRE results report did not include a testing point of\n                       contact and did not include a description of the DRE including\n                       expected and actual results. These elements are required by NIST\n                       Special Publication 800-53A 5 and Treasury Directive Publication\n                       (TD P) 85-01. 6\n\n                       FMS management stated that NIST Special Publication 800-34,\n                       Revision 1, \xe2\x80\x9cContingency Planning Guide for Federal Information\n                       Systems\xe2\x80\x9d (May 2010), was followed for contingency plans and\n                       DRE testing documentation. However, the documentation was not\n                       fully compliant with NIST Special Publication 800-53A and\n                       TD P 85-01 requirements even though FMS management was\n                       aware of them.\n\n\n\n\n5\n  NIST Special Publication 800-53A, Revision 1, \xe2\x80\x9cGuide for Assessing the Security Controls in Federal\nInformation Systems and Organizations\xe2\x80\x9d (June 2010)\n6\n  TD P 85-01, Vol. 1, \xe2\x80\x9cTreasury Information Technology Security Program\xe2\x80\x9d (Nov. 2006)\n\n                       Financial Management Service Successfully Demonstrated Recovery Capability   Page 6\n                       for Treasury Web Application Infrastructure (OIG-12-052)\n\x0cRecommendation\n\nWe recommend that the Commissioner of FMS take action to\nensure that all FMS TWAI DRE documentation fully complies with\nNIST Special Publication 800-53A and TD P 85-01 requirements.\n\nManagement Response\n\nFMS officials stated NIST allows for flexibility in implementing the\nguidance in its Special Publications and that FMS has taken the\nfollowing corrective actions to ensure their documentation is\nconsistent with NIST guidance:\n\n\xe2\x80\xa2   Developed and issued a required FMS TWAI Contingency Plan\n    template for all TWAI applications in November 2011, and\n    conducted compliance reviews against the template.\n\n\xe2\x80\xa2   Developed and issued a Contingency Plan Test Results template\n    in October 2011 to ensure that the format for all contingency\n    plan test results is consistent and follows the suggested NIST\n    format, and conducted compliance reviews against the\n    template.\n\nOIG Comment\n\nManagement\xe2\x80\x99s corrective actions, if implemented as described,\nmeet the intent of our recommendation.\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 7\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0c                                 ******\n\nI would like to extend my appreciation to the Commissioner of FMS\nand his staff for the cooperation and courtesies extended to my\nstaff during the audit. If you have any questions, please contact\nme at (202) 927-5171 or Abdirahman Salah, Information\nTechnology Audit Manager, at (202) 927-5763. Major contributors\nto this report are listed in appendix 3.\n\n\n/s/\n\nTram Jacquelyn Dang\nDirector of Information Technology Audits\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 8\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nThe overall objective of this audit was to determine if the Financial\nManagement Service (FMS) could successfully demonstrate its\ndisaster recovery capability for the Treasury Web Application\nInfrastructure (TWAI). This audit was included in the Office of\nInspector General Annual Plan for 2011.\n\nTo accomplish our objective, we reviewed planning documentation\nrelated to TWAI applications and disaster recovery exercise (DRE)\nobjectives, observed the DRE exercise held on February 12, 2011\nat the Federal Reserve Bank in Dallas, Texas, performed a limited\nphysical security assessment while on site, including walkthroughs,\npersonnel interviews, and policy reviews, and reviewed the DRE\nresults report prepared by FMS in March 2011.\n\nWe reviewed the DRE for adherence to applicable criteria including\nNational Institute of Standards and Technology special publications\nand Treasury policies to determine if the disaster recovery had\nbeen successfully demonstrated.\n\nWe performed our fieldwork in the Washington, DC, metropolitan\narea and Dallas, Texas, from January 2011 through March 2012.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 9\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 10\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0cAppendix 2\nManagement Response\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 11\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0cAppendix 3\nMajor Contributors to This Report\n\n\n\n\nOffice of Information Technology (IT) Audits\n\n   Tram J. Dang, Audit Director\n   Abdirahman Salah, IT Audit Manager\n   Dan Jensen, IT Specialist\n   Timothy Cargill, Referencer\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 12\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0cAppendix 4\nReport Distribution\n\n\n\n\nFinancial Management Service\n\n    Commissioner\n\nDepartment of the Treasury\n\n    Office of the Chief Information Officer\n    Office of Strategic Planning and Performance Management\n    Office of the Deputy Chief Financial Officer, Risk and Control\n       Group\n\nOffice of Management and Budget\n\n    Office of Inspector General Budget Examiner\n\n\n\n\nFinancial Management Service Successfully Demonstrated Recovery Capability   Page 13\nfor Treasury Web Application Infrastructure (OIG-12-052)\n\x0c"